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Overview of how FFU’s work and what the 
raw data looks like in XKS 

Targets use of FFU’s 

How to exploit in XKS 

HTTP Activity Search 

(new) Web File Transfer Search 
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is an FFU? 




A free file uploader is a website that allows 
you to upload a file and then hosts that file 
for others to download. 




Think of the “dropbox” service that we have 
on NSAnet. 

Since Free File Upoaders are web-based, 
the HTTP Activity plug-in will be the first 
place to look for activity 

We’ll also introduce the Web File Transfer 
plug-in 
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Most FFU sites are free and don’t require 
accounts, but only allow for basic service 

For example, files might only stored for a 
short period of time 

Or the person who uploads it does not have 
a lot of access into who has downloaded 
their files and how many times 
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“Premium” accounts for U 



Some FFU sites allow for “premium” access, 
maybe just by registering or maybe by charging 
the user a fee 

Premium access might allow for more uploads per 
account, or files that can be stored longer 

Some premium accounts give the uploader 
“admin” insight into how many times a given file 
was downloaded (commonly referred to as a 
“counter”). 

Some premium account sites will even allow the 
uploader to see the IP address and datetimes 
associated with each download. 
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Example of “Premium” access 



For Zshare.com: 






Maxmutn upload size 500MB. 

N ow up to 2GB for Premium users ! and 1GB for registered users ! 



Privacy: © Share your file with the world (Recommended) 

OF or your eyes only (Private) * Registered users crdv 
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Challenges with FFU 







Almost no FFU activity contains strong 
selectors (Username or E-mail 
Addresses) making it difficult to identify 
our target’s use of these services 



In most cases we see a URL to the file 
that doesn’t contain the original filename 

(eg! http://www.zshare.net/download/6365962739d34eba ) 
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HTTP Activity 




HTTP activity comes in two types: 




FFU Servers 
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How FFU’s work 



D 



Client-to-Server request of the homepage 







GET/HTTP/l.l 


User- Agent: 


Op era/ 9. 22 iyimdovjs NT 5.1; U; en) 


Host: 


v^w^.zshai'e.net 


Accept: 


text/html, ap pH c ati ori/iauL ta =0 . 9 , apphcationfthtml xral, image/png, image/jpeg, image/gif, image/:r-xbitmap, 
*/*,q=Q. 1 


Accept- 

Language: 


en-l^en;q=0.9 


Accept- Charset: 


iso-8859- 1, utf-S, utf-16, *q=0.1 


Accept -Encoding: 


deflate, gap, 2 -gzip, identity, *;q=Q 


Cache -Control: 


max-staie=0 


Connection: 


close 


X-BlueCoat-Via: 


0A6F5353QF3F63EE 
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How FFU’s work 



Server-to-client response of the homepage 
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How FFU’s work 



Client-to-Server POST of the file 




POST /cgi-bin/ubr_upload.pl?upload_id=6963384d1a981de0b38312900b149ae9 
&multiple = 0&is_private=0&is_eighteen=0&pass=&descr= HTTP/1 .1 
User-Agent: Opera/9.22 (Windows NT 5.1 ; U; en) 

Host: dl081 zshare.net:3000 

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, 
image/gif, image/x-xbitmap, */*;q=0.1 

Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 
Accept- Encoding: deflate, gzip, x-gzip, identity, *;q=0 
Expect: 100-continue 
Referer: http://www.zshare.net/ 

Cookie: Sid=65985202ca9ff4f0fd000e0e4a1 82d59 

Cookie2: $Version=1 Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, 
trailers Content-Length: 17048 

Content-Type: multipart/form-data; boundary= 9yxPJQJxOm5CCaMbP4XHns 
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How FFU’s work 



D 




The POST contains the file, but also the 
answers to the checkboxes on the homepage 







Description: 






Privacy: 


® Share your file with the world. (Recommended) 
Fervour eves onlv ['Private'') -*iiv 




U Nudity (18+) 




0 1 have read and agree to the TOS 



Content-Disposition: form-data; name="descr" 

9yxPJQJxOm5CCaMbP4XHns 

Content-Disposition: form-data; name="is_private" 
0 

9yxPJQJ xOmSCCaM b P4XH ns 

Content-Disposition: form-data; name="TOS" 

1 

9yxPJQJ xOmSCCaM b P4XH ns 

Content-Disposition: form-data; name="pass" 



>10 € 
1 00 1 
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How FFU’s work 



D 



Client-to-Server checks of upload progress 




GET /ub eruplo ad5itor_get_p r ogre s s . php ? up lo ad_id=S 9 6 3 3 8 4 d 1 a9 8 1 de 0 fa 3 8 312 9 0 0 fa 1 4 9 ae 9 & s t artjim e = 1 24 9 57 1 3 2 8 
■til 1M_|4=17# Scrnd _id= 1 24 956 82 3 57 2 8 HTTP/ 1.1 



User-Agent: 

Host: 

Accept: 

A c c ept -L anguag e : 
Accept -Char set: 
Accept -Encoding: 
Referer: 

Cookie: 



Cookie 2: 

C oimertion: 

TE: 



Opera/9.22 (Windows NT 5.1; U; en) 
dl 0 8 1 . ss hare . net: 3 0 0 0 

textfhtrnl, applic atio ti-'biriil ; q= 0.9, application/sdittrJ m m l, mage, -png, mage/jpeg, image/gif, image/x-xbitmap, */*;q=Q. 1 
en-US,en;q=0.9 

iso-8859- 1, utf-8, utf-16, *;q=0.1 
deflate, gzip, x-gzip, identity;, *; q=0 
http ://v raw. e share . net/ 

H 5985202 c a9&4f0fd0 0 Oe Qe4a 1 8 2 d| 9 

__utma=2 1 3 90S 89 5 . 173 2 65 1 66 S . 1 24 956 8 234 . 1 24 9 56 S 234 . 1 24 956 S 234 . 1 
_utmb=2 1 3 908 895 
_utmc=2 13908895 

utniz=2 1 3 9 08895.1249568234.1.1. utrnc cn=( due ct) |utrnc si— f due ct) |utrncmd= (n on e ) 

$Vemon=l 
Keep-Alive, TE 

deflate, gzip, chunked, identity/, trailers 
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How FFU’s work 



Server-to-client response after successful uploa 




Welcome to SHARE 

"With zSITARE you can upload files, images, videos, audio and flash for free. Simply use the upload form below and start sharing! You 
can also use zSHAEE as your personal file storage: backup your data and protect your files. First Time' 7 Read our ’ AQ ! 

* Upload now 

* Login 

* Create Free Account 

* Premium 

* FAQ 

File Uploaded 

The file kla pics zip was successfully uploaded! (4.04MB). You're now ready to share it with unlimited people or keep it as a backup. 



Download Link 



T,nk for forum?' 

Direct Link: 
Delete Link: 



[U R I = http 7/www 7 :=; h ii re n Rt/rJ nwn I n a d/6 3 7 1 9 9 9 7 1’l h 1 7 4 



http ://www. z s h are .net/d own I o ad/6 371 99570b1 74 c9f/ 



http ://www. zshare.net, ''delete, htm I ? 63 7 1 9 9 E 7-7 c8 89 3 b 1 1 



R-mail Me This Tnfo 

To receive all the info on the file you uploaded, such as removal instructions and download link, enter your e-mail address on the 
field below: 



Your e-mail: 
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Critical piece of collect! 




This one server to client session serves as proof of the success 
of the upload and it connects the original filename to the URL 
that will be passed around in E-mail or forum posts 



File Uploaded 




The file|ldu pics zip ;; 


g successfully uploaded! (4.04MB). You're now ready to share it with unlimited people or keep it as a backup. 


Download Link 


W 1 

| http ://www. z share . net/d ownlo ad/6 3719957 Ob 1 74 c 9 6' j 


Link for forums: 


[URL=http://www. : sh are.n eVdo wrilo ad/G 37 1 99 5 70 bl 7 4 


Direct Link; 


h ttp ://www. zsha.re.ri el/d own 1 □ ad/G 3 7 1 9 9 5 7 0 b 1 7 A c9f/ 


Delete Link: 


h ttp ://www. z s h a re . n el/d e 1 e te . h tm 1 ? G 3 7 1 9 9 5 7-7 c 8 3 9 3 b 1 1 
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How FFU’s work 



D 



P activity in time order 







HTTP Type 


Host 


URL Path 


URL Args 


(jet 


www.zshare.net 


f 




i pOSt 


dIOBI .zshare.net: 3000 


fcgi-binAjbr_upload.pl 


y pload_id=69633S4dl a981 de0b3831 2900b1 49ae9am u ltiple=oais_private=oais_eighteen=oapass=Sdescr= 


jet 


(IlflSI.sshare.netiJOOfl 


Albert i| >1 natl At In _set j>r ey r ess. |>hp 


upl aatljd =6H3384d1aG81 ileflb3831 29Mb1 49ae9 


jet 


(IIU8 , l.zsliare.niet:3D0Q 


Albert i| >1 eatl At In li nk j i| iloa< l.|> h|> 


ri¥(l_kl=1249568215flS3 


jet 


(11081 .zs bar e.netiJOOO 


Andex2.|)h|) 


upl oatl _i«tl =6963384<l1a981 ileflb3031 29081)1 49aeMf _v\=x a i mi m.zip £ t les*cr =Sn lult i| )le=0£ s=£ is jn 


jet 


(IldSI .zshare.net: JO 00 


Albert i| >1 eatl At In yet j>r *>y r ess. |>lip 


tipi Gail id =696338 4d1a981 tleOI>3831 2900b 1 49aeM startt ime- 1 249571 rastot a 1 upload size=1 7048S ri if lit 1=1 


jet 


(ll&fl.zshare.netiJGOi) 


Albert i| >1 oatl Ai br jjet j>r ey r ess. |>lip 


upl eatl _id =696338 4d1a981 ile0l>3831 29(101)1 49ae9S start_time=1 24957 1 828&t ota Uipload _size=1 7048£rnf 1 jd=l 
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Client to server request for the homepage 




GET / HTTP/'.. 1 


User-Agen:: 


CS| iTVmdows PIT 5. 1; L"| en) 


Host 


www. zshare.net 


Ac:ept: 


tcjiAitrl apple atiorAaijl; q=0 . 9 , appk aioi^shtml m! kiage/prig* image, 'jptg, rr.age/gif: imags/k-iActinap, 
*/*; q=C. : 


Accept- 

Language: 


ea-Tjf£,en;q=Op 


Ac : eotiOharset 


iso-8859- 1, utf-8, utf-15, *;q=C. 1 


Ac cpt-Enc o cir.g 


deflate, gcip , 35-gnp, identity, c=0 


Ca:lte- Control: 


mas-s:ale=0 


Cormec:iorj: 


c!ose 


X-3be Cost- Via: 


0A6F53530F3T65EE 



HTTP activity meta-data: 



Application Into 


Datetime 


HTTP T' Host 


htt|):/j'www.z5.lMr«5.iiet.f 


200S-fflM6 15:16:13 


yet www.zsham.net 



Application Type 


Application 


AppID C+Fingerprints) 


filgtransfer 




flletriinsfer/welj/zshiire 
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How does that activity look in XKS? 

r , 



r 

Server-to-Client request of the homepage 

|.4c M. jj.-j .-F. i ft - Lf 1 L 1 1 pj h u i L'J r u 1 1 L"J lU lpJ JJsl 



HTTP activity meta-data: 



Application Info 

iSHARE - Free Inwiije, Video, Audio, FLi^h oihI File Hostind 






Applied ion Type 


Application 


AppID (+Finger prints) 


filet ran sfer 


f il-eti fi i isf er /web /z sluie 


filet ran ate r m eli.zs 1 mi e 



HTTP Type 
response 



Welcome to "SHARK 

'Vf- ;,SH “ K h y:- _ i:-.ii -I > r- jiik. ■ -Liii—c, -.n:h-i -L lk>li l-:i "i: l^nr-'y j-i: Ji in-'-:H:l li-n' \li:U >( r;-rr 1 1 1 V-m h - h >-: 

ik y \> y:- j ]■ i>-:ikI "I >L:i-.m 1 1 - iit- ^ : ir -L:h w~-L|:i-:Li: L y : ■ j -I :■ -'-i« -in K :h:I :■ j 

■ U t -lv,rf nv- 

* L( JLTi 

C r : jr : A/-; A:< xU 

Iriri'L'jyi 

■ rA::.' 

Upload a File, Image, Video, Audio or Fla^li L- iilimi reel Downloads 



M.ii mr -if/nh-L r th : Ml 

t ~*7 ii.' lo *:'l "r ivrMir'v# t JirLhilhn fLi>iv^':c*iYi 




I':;<.i 3 Cjcn 



’i"]' XI k-i: i-:ir ITi: f»i '■ Ui i'K 1 1 : 1 ■!; 

H:i y:-j y > -:n" y ^ ■ r n rj n ■ ■ k 

— NTn -Hr i Rl i 

^ '■ x- i h:I %n:l L-: "• \: 'IH 
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How does that activity look in XKS? 



py 1 

Client-to-Server POST of file: 

POST /cgi-bin/ubr_uplaad pl?upload_id=6963384d1a981de0b383129QQb149ae9 
&multiple=0&is_private=Q&i5_eighteen=0&pa55=&descr= HTTP/1 .1 
User-Agent: Opera/9.22 (Windows NT 5.1 ; U; en) 

Host: dIOSI zshare.net: 3000 

Accept: text/html, application/xml;q=0.9, application/xhtml+xml. image/png, image/jpeg, 
image/gif, image/x-xbitmap, */*;q=0.1 

Accept- Language: en-US : en;q=0.9 Accept- Charset: iso-8859- 1 , utf-8, utf-IS, *;q=0.1 
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 
Expect: 100-continue 
Referer: http://www.zshare.net/ 

Cookie: sid=65985202oa9ff4f0fdG00e0e4a1 82d59 

Cookie2: $Version=1 Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers 
Content- Length: 17048 

Content-Type: multipart/form-data; bourdary= 9yxPJQJxOm5CCaMbP4XHrs 

HTTP activity meta-data: 




HTTP T- Host 


URL Path URL Args 


post cllDS1.zsihare.net: 3000 


,i'c gi-h i i Y'uh i _i 1 1 1 . | >1 ijp I 1 _ti 1=696338 4c 11 aD? 1 !tk 0 1 >3831 290DI 1 1 4^^ 9 E n l nit i | is=_|? i i vat i 1 lte eu=0-&|jas tie? c r= 



Cookie Referer 

$ i cl=G5D®52D2ca&fF4f Off i 1000 efle4a1 1 5 9 http : ffwi/rw . z sliiii e.n et / 




A ttac hment Filename 

khi pics.zip 
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How does that activity look in XKS? 

r , 



Client-to-Server checks up upload status: 



JET ''uber.iolo ad'''J::c^et jor ogr e £ £ . php ''uplo ad_id=b 9 5 -■ 3 34c . a98 J de jfc 3 3512 9 DC b 1 49ae 9 &start_tur.e= 1 2^- 9 ~j7 J 3 28 
Wei upbad size - 1 7i:y y &mc g- 1 I :■ by 235/2 3 HUl'/l . 1 


LTser-Aper.t 

Host: 


Op era/ 5 . 2 2 (Windows AT 2 TJ; ?n) 

d/0 S 1 . zshar.c .r.ct 3 000 


Accept: 


tei^'litid, appLc atbn/zid; q=C . 9, ap p licatioh&Ktml : 1 ml, image, 'png, image/jpeg, iiiage/gif: [in |g e Ai- Kb bn ap , ^'^.cpC.l 


Ac l: J.t.udgd . 


en- J3.cn r q— 0. 9 


Accept Charset 


iso 8359 1, utf 3, utf 15, 0. 1 


A r: r: fipt-Rnno dirg' 
Kcicrcr 


delate. pyip. K-P7ip. i deadly. =+: ;.q=0 
httpy/www 1 . z share .r.ct'' 


■Cciiki? 


s:d-5 1 9 y 52 0 2 :a51td :UidO 00 e 0 e-1 al y 2 di 9 




utrna=2 1 35 3 3 35 5.1 73* W 5 \ S 3 . 1 2492 6 3234 . 1 245 5 5 82 34 . : 245 5 1 32 34 l 

_utms=2 13008305 




uttji::=2 1 35 0 3 35 | 




uhJii-2 3 90 3 3 9f . 1 24 950 3 £3^ .1.1. j jijl uil — | ii t l L) Il-Uhl si — 5ii cl L) |ul;iium<g(:i ji.t) 




GV ersian^l 


C ozoecton: 


Keep-Alive, TE 


TR 


d-lal.r. o/jp. i :1 ii _t 1* cd, 1 1 l-r il.il.y . I.'ailmj- 



HTTP activity meta-data: 







HTTP T‘ Host 


URL Path 


URL Args 


yet * IlftSI .zs 1 nil e.iiet:3i | i(j'i(i i Ail] er ii|>lo a tl/iib r_s et _p no gii ess . | >li|] 


Liplo a cl _itl=SM33S4d 1 a 9 8 1 c leflb 38312900 hi 4&ae$ 




Cookie 


Ref eider 


sicl=«£9SS2(i>2ca£1f4fOfclOQQe()i«4a132cl59 


litt|> : ff www . z Ahare.n et. 1 ' 





Application 


AppID (+ Finger prints) 


f il-eti a i isfer /web fz share 


filet ran sf e r/ w eli/zs 1 lar e 
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How does that activity look in XKS? 




Server-to-Client successful upload 



Welcome to SITARF. 

Tj J ti iSEL'iZ tv u 7ju ±jc 7Jid£j:h: SLmitru;: Lotvf I:jJ: j.n.hfjjy.'ijt Lfar ":"(u 

(7Ji ur: ur :r >:rr nrJil: ”J.'w ir dtfa ?jt : [ r h v y. r Lt:- ILy. TLit'' I:. : j J iu.OiV'I 

* I l|:l: -l - ■:■■■■■ 

- I -urn 

£ r: jr: Trit f.rr. 

»■ Irirvum 

* T- - 

FlL L Uploaded 

_Lc «r J.Lii v.vi :u. - c .■ . C- u j.V il ■/' jc n icya’y . .• lIi.m : i \yJIi . iJjilIc J j. c .• .Or h. i L-.rc , i. .’i j I. u.Lu a 

""J:*rrll 'Is-: ".■IK 

Ii..-j. 7 — jrjjcc y.il./ a l '. 1 J .' 



.•ik *:i :- - iriK 
>. I!. .IK 

I'slsh Lru 



|;.n - 1 :. .v— -- 1 . -k- 1 1- 1 1 1 iv- ir- 

|- 1 1 1 him.'i: r.yin 1 il;' ■; ? I ■ -j il'.' 

| ■: ? n:Vv ? ci? Ivt I ■" 



1.1: ■ 1: 11 : :n ■ 1: If 

li 1:1 



_ :■ TTl.- Inf :■ 

1 r: : :h : j ; ; | {jfi i-uiuui.-:i| i i li 1 1 1 : 1 j 1 1 1 is :-r :l 1 1 1 1 ■ • i d 1 1 :h 1 1 link irlia i-:ir i-iiki' ni-ii lii 



V:- j i:^-srl 



H 



P activity meta-data: 



Application Info 

iSHARE - Free Iruviije, Video, Audio, FLi^h mnl File Hostind 



HTTP Type 
response 



Application Type 


Application 


filetransfer 


fllstransf e i? w e lite s liars, net AipksadJTe spouse 



AppID (+Fingerprints) 

filetransfer.'welj/zslini ejiet.ii|iiloffld/re!S|]»oiise filetransfer/welii/tlieletelinh fileti mi^fer/web/iiploatl.^lelete 
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Introducing the “Web File Transfer search 



Web File Transfer plug-ins were built to 
harvest valuable pieces of information 
which are not pulled out by default in the 
HTTP activity search 

For example, in the server to client 
response we see the name of the file that 
was uploaded, the URL to be used to 
download the file and the delete key, all 
great pieces of information! 
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Web File Transfer search 



For example: 

Welcome to 2 SHARE 

"With zSIYARE you can upload files, images, videos, audio and flash for free. Simply use the upload form below and start sharing! You 
can also use zSHARE as your personal file storage: backup your data and protect your files. First Time' 1 Read our AO! 

* Upload now 

* Login 

* Create Free Ac court 

* P remium 

* FAQ 




File Uploaded 

Tne file kin pics zip was successfully uploaded! (4.04MB). You're now ready to share it with unlimited people or keep it as a backup. 



Download Link 





http ://www. zshare . net/downlo ad/6 37 1 9 9 57 Ob 174 c 9fl 







T,nk for fomtm?' 



[U R I = http 7/WwW 7 :=; h ii rp n Rt/ri nwn I n m d/fi "1 7 1 9 9 6 7 1’l hi 1 7 



Direct Link: 
Delete Link: 



R-tnail Me This Tnfo 

To receive all the info on the file you uploaded, such as removed instructions and download link, enter your e-mail address on the 
field below: 

Your e-mail: 



http ://www. z s h are . n et/d own I o ad/6 3 7 1 9 9 5 70 b 1 7 A c9f/ 
http ://www. z s h are . n et/d elete.html? 63 7 1 9 9 E 7-7 cB 89 3 b 1 1 
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Web File Transfer search 



Web File Transfer plug-ins were built to 
extract fields like this 

File Uploaded 




The fill 




as successfully uploaded! (4.04MB), You're now ready to share it with unlimited people or keep it as a backup. 



D o wnlo ad Link 

Link for fo turns: 
Direct Link: 

Delete Link: 



[LJ R L= htt p ://W ww. zshare.net/ down load/ 637199570b17d 



h ttp ://www. zs harem et.'d own I □ ad/S 3 7 1 9 9 5 7 0 b 1 7 1 A c9 f/ 



( 



http ://w ww.zs h are . n el/delete . htrn I ? 63 7199 57-7c3 69 3 b 1 k 








File URL 


Filename 




htt|]:y>www.zshare.netAli]Hwnloaclj r 6^T199!57!(nj174€S1 r 


khi |HC£.Zi|* 
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Web File Transfer search 



Other examples: 




v Contents (1) 



0 Expand all E Collapse a I 



File name 



File type 



File size 



Attachments 



2 i!i it ml 



H TF'/hTML 



■3 07 Z 



^ Display Information: HTTP/HiML 



[jr> Send to AcQjti Realt ime 



□i 




I'vVn 





PREMiyNrPownioQil 
PREMIUM Zone 



The world s biggest 
1-Clicl< Weblioster 



FAQ Imprin: 
F c raot P re rn i u nn-p 3 ss w □ rd 0 
WARM KG OF PHISHING! 



File Movlel_l 

l hank you for your upload, h.enembe- ti 

Kapidshare is a lie 

Your Do v/ n o a d -Ln k # 1 : http://raoidsh 
Your Delete-Lin< #1: http://raoidsh 



Upload | Download link 



1. Z 1 u'i.-.iidij A ' Laii.. 



dick. :itif Lo d v '■'..ilu =i i' J £Jf 



ht^://rap:d±are cotrJfle£/2553d 17 1 S.'A.pegaZlePlayer. fxb. ntnl 
MB 2 : 1B2AAZT' :7F 2BBRf A9 1SES21 27D aE GDD2EB 

Semi download Jink via e-maiJ 

7/e send you, Lind 7,vo ether recipient of your choice the download and 'Met on links oer e mail so that you can always access your data. 



Name (:= encen : 

(.±:lccl t L ch'ucctcis iong'j 

Zi-tr.ai acdrssE of fist recipieti:: 

(im t L ckturcctcis long) 

R-n ad addr -ikl of kdclil/o'ixl ' n 
lim cJr.ajs.<:tt±s .ong) 

Z-tr.aJ acdrcs; of adcitonsl rccicicnt: 
£A ohiutUtia luiig) 

Short message :o :h? recipient: 

(KLaor 1LUU characraie Long; 



)erd download link 



Lit cm: alien 

AJLm.il L .i^ | Ttiius oZuse | Icjifjiii.L 
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Searching on FFU’s in XKS 



When you see an FFU URL passed 
around, you can use the HTTP activity 
parser to see if anyone went to that URL. 

Use the HTTP activity search and simply 
copy and paste the URL into the “URL field 
builder” 

Make sure to add a valid foreign IP address 
or foreign country code to your search to 
make it USSID18 compliant!! 
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Searching on FFU’s in XKS 




For example, if we see this URL passed 

around in traffic: http://www.zshare.net/download/6365962739d34eba 



Search: HTTP Activity 

Query Name: 




Justification: 




Recent Justifications 



Additional Justification; 
Miranda Number; 

Datetime: 



1 Month 


V 


Start; 


2009-07-12 


0 




00 




IMD FcsOoU Bui men 



Enter a URL that Mill be autionratirajiw p-EjErseirD to populate the Eirmst.. 
patClp and srgMcroneiit LoeOdta: 



http;/ / ww w , ibhare , ne t / download/ 6365952 7 3 9d34eba 




Enter 



Cancel 



tw [ Populate with URL Field Builds r l 
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Searching on FFU’s in XKS 



Make sure to and vour search with a valid 
foreign target, like IP address or country or 
city code!! 






IP Address: 
IP Address: 
Port: 
Port: 




From 


v 




To 


V 




From 


V 




To 


V 



Country: 



Country 



SO 




From 


v 






V 


To 





f lP Address Field Builder ] 
ft** f lP Address Field Builder ! 
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Searching on FFU’s in XKS 



It’s also worth it to search the URL as the 
“referer” and again remember to add 
something “foreign” 










IP Address: 




From v 



From v ifcj r iF Address Field Builder ! 



IP Address; 






1 

□ 

H 










Port; 






From ^ 










Port; 






5> 

□ 

H 


















Country; 


SO 


V 


From 










Country; 






1 

o 

1- 



r iP Add res 5 Field E uilde r ] 
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Searching on FFU’s in XKS 



To find all files being uploaded to FFU’s 
from a given IP address/range or 
city/country code use the HTTP activity 
query 





Application: 



flletranster/web/zshare/upbad 











Country: 


PK 


’tr 


From v 













IP Address: 119. 











From v- 
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Searching on FFU’s in XKS 



If you want to try to find who uploaded the 
file that generated that URL, use the Web 
File Transfer Plug-in 



0 Q Classic N-Z 

E Network Logs 
E PDF Metadata 
E PI L BEAM 
E PPF VoIP Metadata 

E Passport 

E Phone Number Extractor 
E REGAN 
E REGISTRY 
E RTF 

E Radius Logs 

E sip 

E SSL Parser 
ETGR Log 

E Tech Strings in Document: 
E User Activity 
E WLAN 

EW'eb File Transfer 
E Web Proxy 
E Wireshark 
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Searching on FFU’s in XKS 



To find all file upload success web-pages, 
which have the filename and the FFU URL 
use the Web File Transfer Search 



Transfer Type: 



upload 



bite Name: 



IP Address: 



Country; 



: share, net 



119 . 



PK 


V 


To 
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Searching on FFU’s in XKS 



To try to find the filename associated with a URL, enter in 
the URL into the “File URL” field, again remember to add 
something “foreign” 



fitbi - A'JvrtrcezJ gaol 1 " " GIS &31 ItdaiflSjart - i 'isfels Cfea 1 Sea'cF Fet.aJ js S:arc \'alu:s 



Scorch! Web Flic Transfer 

QiiRrjpi Nmns: 

JusLiriLdliun: 

^dditona JLCti'CDton: 

Mir=rrlfl Ni nher: 



FJU UP.L u£ £ i ltd pr-stdLl L j CT 
t c.rae t. 



^.yuyi L J l ^Li ' L~dl urib 



Uatetime: I f/enth 



Lina t: 200:0712 


3 




o::od 


A 

V 


btop: 


2009 OS _1 


□ :s: 5 C 


A 

V 






Fil -j U -.L: -fl:: -j/ wWw. ic - arc. -ict/c ownl c ad-'f: 37 1 99 57 1 b 

l Manana: 



Fi r “vpa: 
Dytm jl. uri: 
Fi y Si^y; 



Arldm": 

AUJrujs: 

nrt: 

l-Drt: 
r.ni . nrrj," : 



Frnn v [ rr Fir rl Pi.ilrn- 



Frnn 


5 




I- 1 


1 


Frnn 






Td 





r Frr -i 



r.ni.-irrj 1 : 



J =hstir ■ 



C (EP.i; 



hu'ri 
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